Identity, Trust and Security
Identity, Trust and Security are cross-cutting concerns that need to be addressed in the SAM software development process in order to protect the software system when it is in operation.
Wikipedia provides some introductory information on
Generally, the minimum goal in Information Security is to protect the confidentiality, integrity and availability of the system to be protected (CIA triad).
- 1 Introduction
- 2 Relevance to SAM
- 3 State of the Art Analysis
- 4 SAM Approach
- 5 References
Key Protection Mechanisms
Identification and Authentication
Identities frequently take the form of unique identifiers, while authentication may use a variety of different mechanisms, which may differ depending on the entity that is being authenticated. Here, mechanisms may differ e.g. for humans, hardware devices and software services. A form of authentication that can be used in digital communications is to make use of digital key or certificate-based mechanisms, for instance by using a public-key infrastructure.
Authorisation is concerned with determining which actions a (presumably authenticated) entity is allowed to carry out in an environment. This is determined by using access control mechanisms. Role-based access control mechanisms are used widely, for instance in order to protect files managed by UNIX operating systems. Attribute-based access control systems are a more general form of access control systems - in attribute-based access control, access control policies can be defined based on the attributes available for evaluation. The XACML policy language is an example for a policy language for such attribute-based access control.
Cryptographic methods are used in order to protect identities, communications and digital data from unauthorised access as well as from unauthorised changes and manipulation. Cryptographic methods hence support the protection goals of confidentiality and integrity. Cryptographic methods generally use key-based encryption methods, in which a key is needed in order to decrypt an encrypted message.
Challenges in Distributed and Federated Protection Scenarios
Distributed and federated protection scenarios can require additional protection mechanisms and additional mechanisms in order to establish security of the environment to be protected. Generally, distributed environments require increased protection of communication due to the distributed nature of communicating entities and at least an additional layer of authentication in which the distributed entities involved in the protection of a system themselves are authenticated in order to ensure that they themselves are the entities they claim to be.
Further challenges include addressing response time and availability constraints that may result from distributed deployments and the need to address conflicts between distributed security components, for instance when two authentication handlers return different results for an authentication request.
Relevance to SAM
The focus of the work on Identity, Trust and Security in SAM is on ensuring that identity, trust and security are managed across federated instances of the SAM Platform. SAM will define a Security Model API for components within a SAM Platform instance and will implement a reference implementation of the API that can be used in the context of federated SAM instances. The reference implementation will then be used to protect SAM instances and in particular the federation of SAM instances. System requirements and system specification activities will incorporate identity, trust and security activities following a security-by-design approach.
In terms of security measures, standard security mechanisms including security certificates for identity management and trust management and web-standard encryption technologies will be used as part of the reference implementation. The basic building blocks of the SAM functionalities for the management of identity, trust and security will apply current state-of-the-art approaches in computer security for maintaining confidentiality, integrity and availability of the SAM Platform. These will include security certificates for identity and trust management and the application of suitable security and encryption mechanisms for ensuring confidentiality and integrity in communication. At this level, the main challenge in SAM is to effectively and efficiently facilitate the federation of SAM instances without compromising the general protection goals.
State of the Art Analysis
It is beyond the scope of this activity to provide a full state of the art analysis of identity, trust and security. This section provides information and pointers to further general information on the state of the art in identity, trust and security instead.
Identification and Authentication
Kumar and Rodrigues provide an overview and comparison of commercially available identity management systems at the time of publication in 2010 based on state-of-the-art identity management taxonomies. For federated identification and authentication, as it is of interest for the SAM project (from several perspectives), the OpenID Specification and the Security Assertion Markup Language (SAML) are of particular relevance. Both provide means for federated user authentication and additional relevant identity management features. OpenID is likely best-known for being used as an identity management mechanism where end users can authenticate with websites using login credentials from trusted third parties such as Google, Twitter or Facebook. SAML is used more frequently in commercial environments in order to provide unified authentication for different types of business software systems.
Research on authorisation is concerned with access control mechanisms, including established access control mechanisms such as role-based access control. Recent research has been concerned, among other factors, with context-aware access control and with the definition of general access control policy frameworks and definition languages such as XACML. Federated authorisation processes require similarly flexible authorisation specification and communication formalisms. OAuth and UMA are two well-known approaches for formalising and communicating authorisation requests and conditions in federated environments.
Identity-based cryptography, which uses public-key infrastructure encryption mechanisms, is the currently commercially used state of the art in encryption approaches. Joye and Neven provide a competent overview of identity-based cryptography. Cryptography topics such as quantum (or post-quantum) cryptography are beyond the scope of the project and are not considered here.
- ANIKETOS: Secure and Trustworthy Composite Services
- CONSEQUENCE: Context-Aware Data-Centric Information Sharing
Standards and Policies
- ISO/IEC 15443 "Information technology - Security techniques - A framework for IT security assurance"
- OpenID Connect Core 1.0
- OASIS SAML 2.0
- OAuth 2.0 Specification
The SAM Identity and Security Services (ISS) component is primarily concerned with the authentication of users and the authorisation of access to resources of various types, including information about the user and data that may for instance be stored in the SAM cloud storage. To this end, the ISS component uses an existing identity management server as a backend system and integrates additional features and convenience functionalities through a middleware layer that exposes the required functionalities via a RESTful web service layer.
Architecture and Dependencies
The Identity and Security Services component consists of several subcomponents. The logical connections that are to be established between them are represented in the figure below.
The Identity and Security Services component:
- handles user authentication and uses an authentication token to maintain authentication session information.
- provides functionalities for user access authorisation to services and data available in the SAM Platform.
- allows other SAM components to access these functionalities through an API.
Implementation and Technologies
The ISS component uses the open source GLUU identity management server system (version 2.0) as backend for identity management. GLUU provides a number of identity management interfaces, of which the SAM project uses OpenID Connect for identity management and UMA for authorisation.
A middleware layer has been implemented in order to provide functionalities to the SAM platform that are not natively exposed via Web Services in the GLUU server system and in order to provide custom functionalities required for SAM identity management.
The final version of the ISS component completes the implementation and testing of functionalities envisioned as part of the SAM prototype. The component was migrated to using a new major revision of the Gluu backend server used in the project in order to improve overall performance and in order to address the remaining bugs and items for which workarounds were applied in previous prototype versions.
The final release of the ISS component also support federated identity management including the integration of users from remote SAM instances as users of another SAM Platform.
- Wikipedia entry "Identity Management", https://en.wikipedia.org/wiki/Identity_Management
- Wikipedia entry "Trust Management", https://en.wikipedia.org/wiki/Trust_management_(information_system)
- Wikipedia entry "Information Security", https://en.wikipedia.org/wiki/Information_Security
- Wikipedia entry "Public Key Infrastructure", https://en.wikipedia.org/wiki/Public_key_infrastructure
- Wikipedia entry, "XACML", https://en.wikipedia.org/wiki/XACML
- S. Kumar and P. Rodrigues, "A Roadmap for the Comparison of Identity Management Solutions Based on State-of-the-Art IdM Taxonomies", in "Recent Trends in Network Security and Applications, Communications in Computer and Information Science, Volume 89, Springer, 2010, pp. 349-358.
- OpenID Specification, http://openid.net/developers/specs/
- SAML Technical Committee, https://wiki.oasis-open.org/security/FrontPage
- D. Ferraiolo, D. Kuhn and R. Chandramouli, "Role-Based Access Control", Artech House, 2003.
- A. Toninelli, R. Montanari, L. Kagal and O. Lassila, "A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments", in Proceedings of the ISWC 2006 International Semantic Web Conference, 2006, pp. 473-486.
- XACML Technical Committee web site, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
- OAuth Authorization Framework, http://oauth.net/
- User-Managed Access Profile of OAuth 2.0, http://docs.kantarainitiative.org/uma/draft-uma-core.html
- M. Joye and G. Neven (eds.), "Identity-Based Cryptography", CISS, 2006.
- ANIKETOS: Secure and Trustworthy Composite Services, http://www.aniketos.eu/
- CONSEQUENCE: Context-Aware Data-Centric Information Sharing, http://www.consequence-project.eu/
- ISO/IEC 15443, http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=59138
- OpenID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
- OASIS SAML 2.0 Core, https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
- IETF OAuth 2.0 Specification, http://tools.ietf.org/html/rfc6749